-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathCHECK_FOLDER_PERMISSIONS.ps1
More file actions
108 lines (94 loc) · 4.2 KB
/
CHECK_FOLDER_PERMISSIONS.ps1
File metadata and controls
108 lines (94 loc) · 4.2 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
$expectedACLs = @{}
$folders = @(
"C:\Windows",
"C:\Program Files",
"C:\Program Files (x86)",
"C:\ProgramData",
"C:\Users",
"C:\System Volume Information"
)
$expectedOwners = @{
"C:\Windows" = "NT SERVICE\TrustedInstaller"
"C:\Program Files" = "NT SERVICE\TrustedInstaller"
"C:\Program Files (x86)" = "NT SERVICE\TrustedInstaller"
"C:\ProgramData" = "NT AUTHORITY\SYSTEM"
"C:\Users" = "NT AUTHORITY\SYSTEM"
"C:\System Volume Information" = "NT AUTHORITY\SYSTEM"
}
$expectedACLs = @{
"C:\Windows" = @(
@{ Identity = "NT AUTHORITY\SYSTEM"; Rights = "FullControl" },
@{ Identity = "BUILTIN\Administrators"; Rights = "FullControl" },
@{ Identity = "BUILTIN\Users"; Rights = "ReadAndExecute" },
@{ Identity = "NT SERVICE\TrustedInstaller"; Rights = "FullControl" },
@{ Identity = "APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES"; Rights = "ReadAndExecute" },
@{ Identity = "APPLICATION PACKAGE AUTHORITY\ALL RESTRICTED APPLICATION PACKAGES"; Rights = "ReadAndExecute" }
)
"C:\Program Files" = $expectedACLs["C:\Windows"]
"C:\Program Files (x86)" = $expectedACLs["C:\Windows"]
"C:\ProgramData" = @(
@{ Identity = "NT AUTHORITY\SYSTEM"; Rights = "FullControl" },
@{ Identity = "BUILTIN\Administrators"; Rights = "FullControl" },
@{ Identity = "BUILTIN\Users"; Rights = "ReadAndExecute" }
)
"C:\Users" = @(
@{ Identity = "NT AUTHORITY\SYSTEM"; Rights = "FullControl" },
@{ Identity = "BUILTIN\Administrators"; Rights = "FullControl" },
@{ Identity = "BUILTIN\Users"; Rights = "ReadAndExecute" },
@{ Identity = "Everyone"; Rights = "ReadAndExecute" }
)
}
$reportPath = "$env:USERPROFILE\Desktop\Raport_Uprawnienia.txt"
"Raport porównania uprawnień - $(Get-Date)" | Out-File $reportPath
echo "🔍 Rozpoczynam analizę folderów względem standardowego wzorca uprawnień..."
pause
foreach ($folder in $folders) {
echo "`n📁 Sprawdzam: $folder"
pause
try {
$acl = Get-Acl -Path $folder
$owner = $acl.Owner
$lines = @()
$lines += "----------------------------------------"
$lines += "Folder: $folder"
$lines += "Właściciel: $owner"
if ($expectedOwners[$folder] -and $owner -ne $expectedOwners[$folder]) {
$lines += "⚠️ UWAGA: Niewłaściwe uprawnienia właściciela! Oczekiwano: $($expectedOwners[$folder])"
}
$actualACLs = @{}
foreach ($access in $acl.Access) {
$identity = $access.IdentityReference.Value
$rights = $access.FileSystemRights.ToString()
if (($access.FileSystemRights -band [System.Security.AccessControl.FileSystemRights]::FullControl) -ne 0) {
# ma FullControl
}
$actualACLs[$identity] = $rights
$entry = "→ ${identity}: ${rights} | Dziedziczenie: $($access.IsInherited)"
$lines += $entry
if ($identity -like "*S-1-*") {
$lines += "⚠️ Nieznany SID: $identity"
}
if ($identity -eq "Everyone" -and $rights -like "*FullControl*") {
$lines += "⚠️ Everyone ma FullControl!"
}
}
if ($expectedACLs.ContainsKey($folder)) {
foreach ($expected in $expectedACLs[$folder]) {
$id = $expected.Identity
$expectedRights = $expected.Rights
if ($actualACLs.ContainsKey($id)) {
if ($actualACLs[$id] -notlike "*$expectedRights*") {
$lines += "⚠️ $id nie ma domyślnych uprawnień dostępu, możliwe problemy! ($expectedRights)"
}
} else {
$lines += "⚠️ Brak wpisu ACL dla $id (oczekiwano: $expectedRights)"
}
}
}
$lines | Out-File -Append $reportPath
} catch {
"❌ Brak dostępu do $folder — uruchom jako administrator" | Out-File -Append $reportPath
}
}
echo "`n✅ Analiza zakończona. Raport uprawnień do folderów systemowych zapisany w pliku LOG: $reportPath"
pause